> I'll try to be a little more specific...
>
> Is anyone pursuing any work in analyzing the byte
> sequences or code at the PE file entry point in order
> identify the obfuscator, packer, encrypter, or
> compiler used?
>
> Thanks,
>
> Harlan
>
Harlan,
The idea is discussed frequently among reversers. I don't know of any
generic OEP finders out there. You can look on this page
(http://www.openrce.org/downloads/browse/OllyDbg_OllyScripts) for various
OllyDbg scripts that have been developed for specific purposes. In the
latest generation of protectors, finding the OEP of the protected program is
becoming much more difficult. In Shiva for example, because it is a
multi-stage protector, when you get to what you might think is the OEP, you
are actually at the start of the Shiva runtime manager. In SOTM 33, there
was no traditional OEP because it unwrapped into a virtual machine and you
still were faced with reversing the virtual machine, and the program that it
interpreted.
>
> Is anyone pursuing any work in analyzing the byte
> sequences or code at the PE file entry point in order
> identify the obfuscator, packer, encrypter, or
> compiler used?
>
> Thanks,
>
> Harlan
>
Harlan,
The idea is discussed frequently among reversers. I don't know of any
generic OEP finders out there. You can look on this page
(http://www.openrce.org/downloads/browse/OllyDbg_OllyScripts) for various
OllyDbg scripts that have been developed for specific purposes. In the
latest generation of protectors, finding the OEP of the protected program is
becoming much more difficult. In Shiva for example, because it is a
multi-stage protector, when you get to what you might think is the OEP, you
are actually at the start of the Shiva runtime manager. In SOTM 33, there
was no traditional OEP because it unwrapped into a virtual machine and you
still were faced with reversing the virtual machine, and the program that it
interpreted.
Chris
[ reply ]